форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка

Вариант для распечатки		Пред. тема | След. тема
Форум Открытые системы на сервере (Firewall, Фильтрация пакетов / FreeBSD)
Изначальное сообщение		[ Отслеживать ]

"Проблема со связкой Snort + SnortSam + ipfw "	+/–
Сообщение от ilsetev on 13-Ноя-10, 15:19
Здавствуйте, уважаемые! Помогите пожалуйста разобраться со слейдующей проблемой: На FreeBSD 8.1 # uname -a FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64 установил Snort Version 2.8.6.1 (Build 39) (из портов) и SnortSam, v 2.69 (из портов) Запускаю SnortSam в отдельном окне (без daemon мода) # /usr/local/etc/rc.d/snortsam start Получаю: Parsing config file /usr/local/etc/snortsam/snortsam.conf... Linking plugin 'fwexec'... fwexec: Will call '/sbin/ipfw' to initiate blocks. Linking plugin 'ipfw2'... Checking for existing state file "/var/db/snortsam.state". Found. Reading state file. Starting to listen for Snort alerts. Затем, в другом окне запускаю Snort # /usr/local/etc/rc.d/snort start Starting snort. В окне где SnortSam появляются еще две строчки: Accepted connection from 127.0.0.1. Adding sensor 127.0.0.1 to list. Snort начинает ловить атаки, писать в базу и через веб морду (base) о них информировать, но вот беда: SnortSam об этих атаках ни сном, ни духом. После огромного кол-ва пойманных атак его вывод остался неизменным. Такое впечатление, что Snort вообще не считает нужным об этих атаках SnortSam информировать. Естественно в таблицах ipfw ничего не появляется. Каждое правило Snort я отредактировал (fwsam:src,1day;) наподобии этого: alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; classtype:network-scan; sid:8081; rev:2; fwsam:src,1day;) В ipfw добавил правила для таблиц. # ipfw show 00100     0        0 check-state 00200     0        0 deny ip from any to table(1) via bge1 00300     0        0 deny ip from table(2) to any via bge1 00400 87020 26682081 allow ip from any to any via bge1 00500   648    48600 allow ip from me to me via lo0 65535     0        0 deny ip from any to any Ума не приложу что еще нужно сделать???!!! Если кто знает, подскажите пожалуйста! Заранее спасибо!
Высказать мнение | Ответить | Правка | Cообщить модератору

Сообщения по теме

[Сортировка по времени | RSS]

1. "Проблема со связкой Snort + SnortSam + ipfw "	+/–
Сообщение от ilsetev on 13-Ноя-10, 15:20
snort.conf #-------------------------------------------------- #   http://www.snort.org     Snort Ruleset #     Contact: snort-sigs@lists.sourceforge.net #-------------------------------------------------- # $Id$ # ################################################### # This file contains a sample snort configuration. # You should take the following steps to create your own custom configuration: # #  1) Set the network variables. #  2) Configure the decoder #  3) Configure the base detection engine #  4) Configure dynamic loaded libraries #  5) Configure preprocessors #  6) Configure output plugins #  7) Customize your rule set ################################################### ################################################### # Step #1: Set the network variables.  For more information, see README.variables ################################################### # Setup the network addresses you are protecting var HOME_NET localhost # Set up the external network addresses.  A good start may be "any" var EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of ports you run web servers on portvar HTTP_PORTS  [80,8080] # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 # List of ports you might see oracle attacks on #portvar ORACLE_PORTS 1521 # other variables, these should not be modified var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path) # Note for Windows users:  You are advised to make this an absolute path, # such as:  c:\snort\rules var RULE_PATH ./rules var SO_RULE_PATH ./so_rules var PREPROC_RULE_PATH ./preproc_rules ################################################### # Step #2: Configure the decoder.  For more information, see README.decode ################################################### # Stop generic decode events: config disable_decode_alerts # Stop Alerts on experimental TCP options config disable_tcpopt_experimental_alerts # Stop Alerts on obsolete TCP options config disable_tcpopt_obsolete_alerts # Stop Alerts on T/TCP alerts config disable_tcpopt_ttcp_alerts # Stop Alerts on all other TCPOption type events: config disable_tcpopt_alerts # Stop Alerts on invalid ip options config disable_ipopt_alerts # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet # config enable_decode_oversized_alerts # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts) # config enable_decode_oversized_drops # Configure IP / TCP checksum mode config checksum_mode: all # Configure maximum number of flowbit references.  For more information, see README.flowbits # config flowbits_size: 64 # Configure ports to ignore # config ignore_ports: tcp 21 6667:6671 1356 # config ignore_ports: udp 1:17 53 ################################################### # Step #3: Configure the base detection engine.  For more information, see  README.decode ################################################### # Configure PCRE match limitations config pcre_match_limit: 1500 config pcre_match_limit_recursion: 1500 # Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config config detection: search-method ac-bnfa max_queue_events 5 # Configure the event queue.  For more information, see README.event_queue config event_queue: max_queue 8 log 3 order_events content_length # Configure Inline Resets.  See README.INLINE # config layer2resets: 00:06:76:DD:5F:E3 ################################################### # Step #4: Configure dynamic loaded libraries.   # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so # path to dynamic rules libraries # dynamicdetection directory /usr/local/lib/snort/dynamicrules ################################################### # Step #5: Configure preprocessors # For more information, see the Snort Manual, Configuring Snort - Preprocessors ################################################### # Target-based IP defragmentation.  For more inforation, see README.frag3 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows timeout 180 # Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5 preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 # preprocessor stream5_udp: ignore_any_rules # performance statistics.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # HTTP normalization and anomaly detection.  For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \     apache_whitespace no \     ascii no \     bare_byte no \     chunk_length 500000 \     flow_depth 1460 \     directory no \     double_decode no \     iis_backslash no \     iis_delimiter no \     iis_unicode no \     multi_slash no \     non_strict \     oversize_dir_length 500 \     ports { 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \     u_encode yes \     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \     webroot no # ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete # Back Orifice detection. preprocessor bo # FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet preprocessor ftp_telnet: global encrypted_traffic yes check_encrypted inspection_type stateful preprocessor ftp_telnet_protocol: telnet \     ayt_attack_thresh 20 \     normalize ports { 23 } \     detect_anomalies preprocessor ftp_telnet_protocol: ftp server default \     def_max_param_len 100 \     ports { 21 2100 } \     ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \     ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \     ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \     ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \     ftp_cmds { FEAT OPTS CEL CMD MACB } \     ftp_cmds { MDTM REST SIZE MLST MLSD } \     ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \     alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \     alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \     alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \     alt_max_param_len 256 { RNTO CWD } \     alt_max_param_len 400 { PORT } \     alt_max_param_len 512 { SIZE } \     chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \     chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \     chk_str_fmt { LIST NLST SITE SYST STAT HELP } \     chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \     chk_str_fmt { FEAT OPTS CEL CMD } \     chk_str_fmt { MDTM REST SIZE MLST MLSD } \     chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \     cmd_validity MODE < char ASBCZ > \     cmd_validity STRU < char FRP > \     cmd_validity ALLO < int [ char R int ] > \     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \     cmd_validity PORT < host_port > preprocessor ftp_telnet_protocol: ftp client default \     max_resp_len 256 \     bounce yes \     telnet_cmds no # SMTP normalization and anomaly detection.  For more information, see README.SMTP preprocessor smtp: ports { 25 587 691 } \   inspection_type stateful \   normalize cmds \   normalize_cmds { EXPN VRFY RCPT } \   alt_max_command_line_len 260 { MAIL } \   alt_max_command_line_len 300 { RCPT } \   alt_max_command_line_len 500 { HELP HELO ETRN } \   alt_max_command_line_len 255 { EXPN VRFY } # Portscan detection.  For more information, see README.sfportscan preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low } # ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor # preprocessor arpspoof # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # SSH anomaly detection.  For more information, see README.ssh preprocessor ssh: server_ports { 22 } \                   max_client_bytes 19600 \                   max_encrypted_packets 20 \                   enable_respoverflow enable_ssh1crc32 \                   enable_srvoverflow enable_protomismatch # SMB / DCE-RPC normalization and anomaly detection.  For more information, see README.dcerpc2 preprocessor dcerpc2: memcap 102400, events [co ] preprocessor dcerpc2_server: default, policy WinXP, \     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \     smb_max_chain 3 # DNS anomaly detection.  For more information, see README.dns preprocessor dns: ports { 53 } enable_rdata_overflow # SSL anomaly detection and traffic bypass.  For more information, see README.ssl preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules ################################################### # syslog output alert_syslog: LOG_AUTH LOG_ALERT # pcap # output log_tcpdump: tcpdump.log # database # output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname> output database: log, mysql, user=*** password=*** dbname=*** host=localhost # unified2 output unified2: filename snort.log, limit 128 # prelude # output alert_prelude # snortsam # In order to cause Snort to send a blocking request to the SnortSam agent, # that agent has to be listed, including the port it listens on, # and the encryption key it is using. The statement for that is: # # output alert_fwsam: {SnortSam Station}:{port}/{password} # #  {SnortSam Station}: IP address or host name of the host where SnortSam is running. #  {port}:             The port the remote SnortSam agent listens on. #  {password}:         The password, or key, used for encryption of the #                      communication to the remote agent. # # At the very least, the IP address or host name of the host running SnortSam # needs to be specified. If the port is omitted, it defaults to TCP port 898. # If the password is omitted, it defaults to a preset password. # (In which case it needs to be omitted on the SnortSam agent as well) # # More than one host can be specified, but has to be done on the same line. # Just separate them with one or more spaces. # # Examples: # # output alert_fwsam: firewall/idspassword # output alert_fwsam: fw1.domain.tld:898/mykey output alert_fwsam: 127.0.0.1:898/snort # metadata reference data.  do not modify these lines include classification.config include reference.config ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules ################################################### # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/exploit.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules #include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/backdoor.rules # include $RULE_PATH/snmp.rules # include $RULE_PATH/icmp.rules # include $RULE_PATH/tftp.rules include $RULE_PATH/scan.rules # include $RULE_PATH/finger.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules # include $RULE_PATH/spyware-put.rules # include $RULE_PATH/specific-threats.rules # include $RULE_PATH/voip.rules # include $RULE_PATH/other-ids.rules # include $RULE_PATH/bad-traffic.rules # decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-misc.rules # Event thresholding or suppression commands. See threshold.conf include threshold.conf ------------------------------------------------------------------------------------------
Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

	2. "Проблема со связкой Snort + SnortSam + ipfw "	+/–
	Сообщение от ilsetev on 13-Ноя-10, 15:23
	snortsam.conf # snortsam.conf.sample - Frank Knobbe <frank@knobbe.us> # ----------------------------------------------------------------------------- # # This is a sample configuration file (derived from README.conf). # On Windows systems it is called snortsam.cfg by default and is located in # the same directory where SnortSam.exe resides. On Unix systems, the default # is /usr/local/etc/snortsam/snortsam.conf. Please remove the # to enable an option. # # The config file is a text file containing one or more of the following lines. # # # SnortSam specific options: # -------------------------- # # # a remark                 # #   Lines starting with # or ; are remarks. All text after # (or ;) is #   truncated which means that you can list an # after a valid option as well. #   If you intend to use a # (or ;) as part of an option, you have to escape it #   with a back-slash, for example: # #      <option> This is a \# valid char  # But this is a comment # #   This would translate after parsing to: # #      <option> This is a # valid char # # # defaultkey snort # #   Set's the default key for ALL allowed hosts to <key>. #   The default key is used when no other key is specified in an ACCEPT option. #   You have to use the same key in the snort.conf file in the #   "output alert_fwsam line". If the keys, or passwords if you will, don't #   match, SnortSam can not decrypt the request from Snort and ignore it. # #   Example:   defaultkey mydefaultpassword # #   If omitted, SnortSam will use a default key (in which case it would have to #   omitted in snort.conf as well). # #                           # # port <port>               # #   This set's the listening port to <port>. # #   Example:   port 666 # #   It defaults to 898 if this line is omitted. # # # accept localhost # #   This option lists Snort sensors that SnortSam is accepting packets from. #   You can specify hostname, IP address, IP address and network mask, and #   optionally an encryption key used configured for that host or network. # #   Examples:  accept 10.10.0.0/16, officepassword #              accept snort1, hostpassword #              accept 192.168.1.1 #                           #   If the password is omitted, the default key specified with DEFAULTKEY will #   be used. You can only specify one host per line, but you can supply #   unlimited lines. # # # # keyinterval <time> # #   This causes the agent to request/create a new encryption key every <time>. #   If this line is omitted, the key lifetime defaults to 4 hours. You can use #   'hours', 'days', 'months', 'weeks', 'years' in the duration. # #   Example:   keyinterval 30 minutes # # # # dontblock <host>/<mask> # dontunblock <host>/<mask> # #   This adds the host or network to the white-list of hosts/networks that will #   never be blocked or unblocked. Blocking or unblocking request for hosts #   on this list are ignored. # #   Examples:  dontblock a.root-servers.net #              dontblock 192.168.10.0/24 # #   Only one host/network per line can be specified, but you can list unlimited #   lines # # # # onlyblock <host>/<mask> # onlyunblock <host>/<mask> # #   If this is specified, Snortsam will only block IP address that match this #   list of IP's or networks. All other block requests are ignored. The same #   applies to unblocks if the "onlyunblock" keyword is specified. Uses for #   the latter might be limited, but it's available. DONTBLOCK still applies #   within this list. # #   Examples:  onlyblock 10.0.0.0/8 # #   Only one host/network per line can be specified, but you can list unlimited #   lines # # # # override <host>/<mask>,<time> # #   Each Snort rule requests its own time interval for the blocking request. #   Here on the agent, you can override the duration with a specified value. #   This is good for proxy servers, or other situations, where an attacker #   'shares' an IP address with other hosts/users that you don't want to #   block for long. (You don't want to block ALL of AOL for a week... :) # #   Examples:  override proxy.aol.com, 5 min #              override 192.168.1.0/24, 10 sec # # # # upperlimit <host>/<mask>,<time> # limit <host>/<mask>,<time> # #   This statement allows you to set a maximum time duration for all SID/blocks #   dependent on the reporting sensor. It acts like 'override', but instead of #   setting a new duration, this statement limits the duration to the defined #   maximum blocktime. Note that the host/network refers to a Snort sensor #   (or a forwarding Snortsam station) and does not refer to the IP address to #   be blocked like 'override' does. #   #   Example:   limit 192.168.1.0/24, 2 weeks #   #   # # lowerlimit <host>/<mask>,<time> # atleast <host>/<mask>,<time> # #   This statement allows you to set a minimum time duration for all SID/blocks #   dependent on the reporting sensor. It is the complement to 'limit', but #   instead of reducing the duration to a maximum limit, it bumps up any #   duration that is lower to this minimum duration. #   #   Example:   limit 192.168.1.0/24, 1 day # # # # denysidfrom <host>/<mask>: <sid>,<sid>,... # #   This statement causes Snortsam to ignore blocking requests for particular #   SID based on a given sensor. Either a single SID or multiple SIDs can be #   listed. When listing multiple SIDs, make sure you separate them with commas #   and not just spaces. # #   Examples:  denysidfrom 192.168.1.0/24: 1345 #              denysidfrom othersnortsam.someone.net: 1411, 1422, 0, 2002123 #               #   (Note the use of SID 0 which is typically used for manual blocks/unblocks #   when no SID is specified, for example, on the command line when using the #   samtool.) # # # # allowsidfrom <host>/<mask>: <sid>,<sid>,... # #   This statement is the invert of 'denysidfrom'. It will cause Snortsam to #   only accept the SIDs listed and by default ignore all other SIDs. #   If a conflict exist by the same SID appearing in an 'allowsidfrom' line and #   a 'denysidfrom' line, the deny takes priority. #   #   Example:   allowsidfrom 10.0.0.0/8: 3200, 3201, 3203, 4332, 4333, 4334 # # # # rollbackhosts <amount> # #   This tells SnortSam to keep a record of <amount> last blocks for each #   Snort sensor. These blocks will be rolled back, meaning the hosts #   unblocked, in the event that the blocking threshold is exceeded. # #   Example:   rollbackhosts 50 # #   If omitted, SnortSam will not keep a record of the IP addresses that have #   been blocked for rollback purposes. # # # # rollbackthreshold <amount> / <time> # #   This specifies the blocking threshold. If the threshold is exceeded (more #   than <amount> blocking requests in <time>), SnortSam will unblock the last #   <x> hosts specified by the ROLLBACKHOSTS statement. # #   Example:   rollbackthreshold 20 / 30 secs # #   # # rollbacksleeptime <time> # #   When the rollback threshold has been exceeded, SnortSam will ignore #   blocking requests until the level drops back below the threshold. Using #   this option you can specify an additional time period that SnortSam will #   wait until it starts acting on blocking requests again. # #   Example:   rollbacksleeptime 1 minute # #   If omitted, and the rollback mechanism is used, it defaults to 15 minutes. # # # # skipinterval <time>           # #   SnortSam skips repetitive, identical blocking requests (for performance #   reasons). Here you specify the time interval for which blocks are #   considered repetitive. # #   Example:   skipinterval 30 secs # #   If omitted, SnortSam will use a default time period of 10 seconds in which #   it considers requests to be repetitive. # # # # skiphosts <amount> # #   Tells SnortSam how many hosts it should remember for repetitive block #   checks. # #   Example:   skiphosts 10 # #   If omitted, SnortSam will remember a default of 10 hosts. # # # logfile /var/log/snortsam.log # #   SnortSam will use this file to log certain events such as program start, #   block/unblock actions performed and error events. If only a file name is #   specified (without a path), the file will be created a) on Windows systems #   in the same directory where SnortSam.exe resides, and b) on Unix systems #   in /var/log. # #   Example:   logfile snortsam.log # #   No logging occurs if this line is omitted. # # # loglevel 3 # #   The file logging level can be set to 0, 1, 2, or 3: #      0: Quiet - No logging occurs. #      1: Sparse - Only errors are logged. #      2: Normal - Errors and blocks are logged. #      3: Verbose - Additional information (such as connections/disconnections) #         are logged as well. # #   Example:   loglevel 2 # #   If omitted, a level of 2 (normal logging) is assumed. # # # screenlevel 3 # #   The logging level, just like loglevel, but for screen output. #     (See above for values) # #   Example:   screenlevel 3 # #   If omitted, a level of 2 (normal logging) is assumed. # # # # include <file> # #   This statement includes another configuration file. Only one level of #   inclusion is supported. # #   Example:   include dontblocklist.cfg # # # # statefile <filename> # #   SnortSam will use this file name for the state file instead of the default. #   This avoids conflicts on hosts with mutliple Snortsam instances. # #   The default of /var/db/snortsam.state (or snortsam.sta on Windows) is used #   if this line is omitted. # #   Example:   statefile /var/db/2nd-snortsam.state # # # # avoidstatefile # #   Starting with version 2.8, SnortSam will always keep a state file so the #   additions to dontblock-list can be checked against current blocks (and #   unblocked automatically if a host is on the DONTBLOCK list, but had been #   blocked before). If you are using SnortSam only to block on Checkpoint #   firewalls, you could avoid the state file since FW-1 will time-out blocks #   by itself. To do that, just use this statement in the config file. # #   Example:   avoidstatefile # #   Note that if you load a plugin that requires SnortSam to unblock the #   blocks, and thus requires the state file, it will be created regardless if #   this option is present. # # # # disablereverselookups # #   This option turns off reverse name resolution in logging plugins, currently #   only used by the email plugin. # #   Example:   disablereverselookups # # # # disablepersistentconnections # disablepersistenttcp # #   This option turns off persistent TCP connections for the FORWARD plugin as #   introduced with version 2.51. It also does not use persistent connections #   for connecting hosts like the Snort plugin, a remote forwarder, or the #   samtool. In essence, Snortsam will behave like pre-2.51 versions. #   The default is now to leave persistent-TCP disabled. See also below. #   #   Example:   disablepersistentconnections # # # # enablepersistentconnections # enablepersistenttcp # #   This option turns on persistent TCP connections for the FORWARD plugin as #   introduced with version 2.51. It also accepts persistent connections from #   connecting hosts like the Snort plugin, a remote forwarder, or the samtool. #   In essence, Snortsam will behave like pre-2.51 versions. #     #   By default, persistens TCP connections are disabled now, and you need this #   option to forcefully enable it. Beware, persistent TCP connections are #   still experimental and may cause problems. # #   Example:   enablepersistentconnections # # # # disableseqnocheck # #   This option turns off sequence number checking in SnortSam. SeqNo #   violations are currently not punished (by banning the offending Snort #   sensor), but it was planned to do so in the future to increase security. #   Use this option to turn packet sequence number checking off. # #   Example:   disableseqnocheck # # # # holdsnort # #   This option requires version 1.13 or higher of the Snort plugin. It places #   Snort 'on hold' during processing of the blocking request, and resumes #   Snort once the block is completed. # #   Example:   holdsnort # #   THIS WILL SLOW SNORT DOWN! USE ONLY FOR TESTING OR IN CONJUNCTION WITH #   BARNYARD! # # # # nothreads                 # #   This option disables the multi-threading capability and causes SnortSam #   not to use thread functions at all. Instead, all plugins are executed #   sequentially within the main process. This makes SnortSam behave like the #   old, single-threaded version 1. It is useful for testing, or if you #   encounter problems with plugins that have problems with POSIX threads. # #   Example:   nothreads # # # # forcethreads                 # #   This option forces use of multi-threading capability on systems that have #   it disabled by default, which currently is all Linux versions. #   #   Example:   forcethreads # # # #daemon                 # #   This option causes Snortsam to turn into a daemon upon startup. It is #   similar to the -D option of many other tools and services. # #   Example:   daemon # # # # bindip # #   This option causes Snortsam to bind only to one IP address (or interface) #   instead of listening on all interfaces/addresses. # #   Example:   bindip 192.168.0.1 # # # # # Firewall specific options: # -------------------------- # fwexec /sbin/ipfw       # #   If specified, SnortSam will call the fw.exe executable to create the blocks #   on Firewall-1. Normally you would use either 'fwsam' or 'opsec' (see #   below). This line is useful if there are problems with OPSEC or you don't #   want to send packets to the firewall. SnortSam will have to run on the #   FW-1 host of course. # #   Example:   fwexec c:\winnt\fw\bin\fw.exe # # # # fwsam 127.0.0.1 # #   This statement tells SnortSam to use the self-assembled OPSEC packet to #   initiate blocks. You have to specify the name or IP address of the #   firewall to which to send the block. You can only list one IP address per #   line, but supply unlimited lines (one for each firewall you have). # #   Examples:  fwsam 127.0.0.1 #              fwsam wanfw.corp.com # # # # fwsamipflip #   #   The fwsam method should block the correct IP address if SnortSam is run on #   the firewall host itself. However, if SnortSam runs on a small-endian box, #   and FW-1 runs on a big-endian box, it may block the reversed IP address. #   Use this option to flip it back to normal. #   #   Example:   fwsamipflip #   # # # opsec <file> # #  This statement tells SnortSam to use the OPSEC API functions of the OPSEC #  plug-in, configured through the <file> config file (opsec.conf is available #  as an example. Also see README.opsec). Use this instead of fwsam for use of #  the official OPSEC API. You can add more than one config to allow more than #  one firewall to execute the block (each firewall would need its own conf #  file). Currently, only clear-text is supported, but you may have luck with #  auth_port or SSL. If so, please let me know. # #  Examples:  opsec opsec.conf #             opsec wan_firewall.conf # #  In opsec.conf, or whatever your file is named, change the IP of the server #  to reflect your firewalls IP (or leave at 127.0.0.1 if you run SnortSam on #  the firewall itself). # # #  NOTE TO ABOVE METHODS: # #  If you are blocking on Checkpoint Firewall-1, use ONE OF THE THREE METHODS #  listed above. You don't have to specify them all. It is your choice which #  method to use (although I personally recommend fwsam). # # # # pix <ip> <telnetpw> <enablepw> # pix <ip> <username>/<password> <enablepw> # #   This statement tells SnortSam to use the PIX plugin. SnortSam will telnet #   into the PIX at address <ip>, log in with the given telnet and enable #   password, and use the SHUN command to block IP addresses. If the second #   parameter contains a /, SnortSam will use the word before the / as the #   username and the remainder as the user password. This is useful when a PIX #   has been configured to use RADIUS or TACACS for login authentication. # #   Examples:  pix 1.2.3.4 letmein enableme #                 #   If the enable password is omitted, the telnet password will be used at the #   telnet and enable prompt. # # # # ciscoacl <ip> <telnetpw> <enablepw> <acl_filename> # ciscoacl <ip> <username>/<password> <enablepw> <acl_filename> # #   This statement tells SnortSam to use the Cisco ACL plugin to block IP's on #   a Cisco router. SnortSam will telnet into router at address <ip>, log in #   with the <telnetpw> as the password at the telnet prompt, or use #   <username> and <password> if TACACS is used for authentication, and modify #   the Access Control List. You need to supply your baseline configuration #   file <acl_filename> in the configuration line. SnortSam will insert ACL #   statements so that access from and to the intruding IP address is denied, #   and upload the config to the router. # #   Example:   ciscoacl 1.2.3.4 telnetpw enablepw myconfig # #   If the router is configured to authenticate access with TACACS, you would #   use: #              ciscoacl 1.2.3.4 user/password enablepw myconfig # # # # cisconullroute <ip> <telnetpw> <enablepw> # cisconullroute <ip> <username>/<password> <enablepw> # #   This statement tells SnortSam to use the Cisco Null-Route plugin to block #   IP's on a Cisco router. SnortSam will telnet into router at address <ip>, #   log in with the <telnetpw> as the password at the telnet prompt, or use #   <username> and <password> if TACACS is used for authentication, and issue #   a route command that will "null-route" the IP to be blocked. It will then #   save the configuration to memory. Once the block has expired, Snortsam #   again log in and remove the added route, saving the config to memory. # #   Example:   cisconullroute 1.2.3.4 telnetpw enablepw # #   If the router is configured to authenticate access with TACACS, you would #   use: #              cisconullroute 1.2.3.4 user/password enablepw # # # # cisconullroute2 r=<ip> p=telnetpw e=enablepw # cisconullroute2 r=<ip> p=telnetpw e=enablepw t=<tag> # cisconullroute2 r=<ip> u=username p=password e=enablepw t=<tag> a=y # #   This statement tells SnortSam to use the Cisco Null-Route2 plugin to block #   IP's on a Cisco router. This is a more flexible version of the #   Cisco Null-Route plugin (see above) with a few more options. #   You can specify a 'route tag' to mark the route on the router. #   Eg. t=667, would result in 'ip route x.x.x.x 255.255.255.255 Null0 tag 667'. #   You can also set the auto-enable option to y (a=y), if SnortSam should NOT #   run the enable command because it enters directly in eg. priv-level 15 # #   Parameters: #   r=<router ip> (required) #   u=<username> (optional) #   p=<password> (required) #   e=<enable password> (optional) #   t=<route tag> (optional [1-4294967295]) #   a=<auto-enable> (optional, [yn]) # #   Example: #   cisconullroute2 r=1.2.3.4 u=username p=password e=enablepw t=666 a=y #   cisconullroute2 r=1.2.3.4 p=telnetpw e=enablepw t=666 #   cisconullroute2 r=1.2.3.4 p=telnetpw e=enablepw # # # # email <smtpserver>:<port> <recipient> <sender> # #   This statement sends an email for every block and unblock event. You #   specify your SMTP server by name or IP address, and the email address you #   want to send the notification to. Only one recipient per line is supported, #   more than one line be be specified. By default, SnortSam will send the #   email from SnortSam@<hostname>, but you can override the sender by adding #   a specific sender after the recipient. Also, you can optionally specify #   a custom port in case you run SMTP on a different port. (Default is 25) # #   Example:   email mailserver.mydom.com root@mydom.com #              email 127.0.0.1 admin@mydom.com SnortSam@mydom.com #              email localhost:10025 ops@mydom.com #                # # # email-blocks-only <smtpserver>:<port> <recipient> <sender> # #   This statement is the same as "email" except that it only sends emails for #   block events, not unblock events. This was easier to implement as a plugin #   since "email" requires the creation of a state file while #   "email-blocks-only" does not (see also "avoidstatefile"). # #   Example:   email mailserver.mydom.com root@mydom.com # # # # netscreen <ip> <login id> <login password> <optional groupname> <opt zone name> # #   This statement will activate the Netscreen plugin. It is similar to the PIX #   plugin in that is telnets into the firewall, but instead of issuing a shun #   command (which the Netscreen doesn't have), it adds the IP to be blocked to #   a group which you can use for a global 'deny' rule. For more info, please #   see README.netscreen. # #   Example:   netscreen 10.0.0.1 admin mypassword MyBlockGroup MyZone # #   If the group name is omitted, SnortSam will add/remove IP's to/from the #   default group called 'SnortSam'. #   Also, one can override the default zone name with a custom zone name. The #   MyZone parameter is optional. If used, a block group name must also be #   specified. # # # # ipf <adapter> <loglevel> # #   This plugin will execute the command ipf locally and block the host by #   adding a rule to the ipf policy. You have to specify the adapter to block #   on (for example, fxp0) and you can optionally add a logging facility #   (default is local7.info). # #   Example:   ipf ep0 local7.info # # # # pf bge1 log # #   This plugin will use an ioctl syscall to control the pf device in order to #   block the host by adding a rule to the active rule set of pf. You have to #   specify the adapter to block on (for example, fxp0) and you can optionally #   add a log option (log, logall). # #   Example:   pf dc0 log # # # # pf2 <anchor> <table> <kill> # #   This plugin will use an ioctl syscall to control the pf device in order to #   block the host by adding the IP into a pf table. Additional active pf #   states to/from the host will be killed. # #   Example: pf2 anchor=snortsam table=block kill=all # # # # ipchains <adapter> <logoption> # #   This plugin will use an setsockopt call to control the ipchains options #   in order to block the host by adding a rule to the active rule set. #   You have to specify the adapter to block on (for example, eth0) and you can #   optionally add a log option (log, logall). # #   Example:   ipchains eth0 log # # # # iptables <adapter> <logoption> # #   This plugin will call the iptables executable in order to block the host by #   adding a rule to the active rule set. You have to specify the adapter to #   block on (for example, eth0) and you can optionally add a log option. # #   Example:   iptables eth0 syslog.info # # # # ebtables <adapter> <logoption> # #   This plugin will call the ebtables executable in order to block the host by #   adding a rule to the active rule set. You have to specify the adapter to #   block on (for example, eth0) and you can optionally add a log option. # #   Example:   ebtables eth0 syslog.info # # # # watchguard <path/to/fbidsmate> <ip-of-firebox> <configpassword> # watchguard <path/to/fbidsmate> <ip-of-firebox> file <configpassfile> # #   This plugin will call the fbidsmate program to block the host on Watchguard #   firewalls. You have to specify the path to the fbidsmate program, the #   IP address of the firewall, and either a clear-text password, or the name #   of a file containing the encrypted password. For more information, please #   see the README.wgrd file. # #   Examples: watchguard /bin/fbidsmate 10.1.0.1 mySecretPass #             watchguard /bin/fbidsmate 10.1.0.1 file /etc/fbidsmate.passphrase # # # # 8signs <path/dfw.exe> <tarpit> # #   SnortSam will call the specified dfw.exe executable to create the block #   on the 8signs firewall. Snortsam will always block IPs without expiration #   (-expiry n) because the 8signs firewall can only block for a day, a week, #   or permanently. Snortsam blocks permanently and then times-out the blocks #   itself, issuing an unban of the IP to 8signs, so that normal time #   intervals are possible (for example, 10 minute blocks). #   Optionally, the word "tarpit" can be appended to cause 8signs to ban and #   tarpit the IP address. # #   Examples:  8signs c:\progra~1\8signs~1\dfw.exe #              8signs c:\progra~1\8signs~1\dfw.exe tarpit # # # # isa <log> # #   SnortSam will use the API in msfpccom.dll to control the Microsoft ISA #   Server interface in order to add blocking rules to the ISA firewall #   rules. #   Optionally, the word "log" can be appended to cause ISA Server to log #   connection attempts from the blocked IP address. # #   Examples:  isa #              isa log # # # # chx-i <path/fltcon.exe> <log> # #   SnortSam will call the specified fltcon.exe executable (or just fltcon if #   none is specified, in which case fltcon would need to be in the PATH) to #   create the block on the CHX-I packet filter. Snortsam can only block, and #   can not forcefully unblock IP addresses. In order to frocefully remove #   a blocked host, just restart the CHX-I service and all blocked IP addresses #   are released. #   Optionally, the word "log" can be appended to cause CHX-I to log blocked #   packets. # #   Examples:  chx-i c:\somewhere\fltcon.exe #              chx-i fltcon.exe log # # # ipfw2 bge1 1 2 # #   This plugin will add/remove IP addresses to be blocked/unblocked into the #   corresponding table(s). Tables are a new feature of ipfw2. You have to set #   up these tables manually before starting Snortsam exactly like this: # #         deny ip from any to table(<inbound-table>) via <adapter> #   and:  deny ip from table(<outbound-table>) to any via <adapter> # #   If these tables are not present in your ipfw2 rule set, Snortsam will not #   start and report an error. With the tables present, configure Snortsam #   accordingly. # #   Example:   ipfw2 ep0 1 2 # #   With tables rules like: #              00010 deny ip from any to table(1) via ep0 #              00011 deny ip from table(2) to any via ep0 # # # # forward <snortsam-ip>:<port>/<password> # #   This plugin will forward a block/unblock request to another Snortsam agent #   running on this or another host. This allows you link Snortsams in a chain, #   providing for a completely distributed blocking infrastructure. You can #   configure two Snortsam agents to forward to each other. The loop is avoided #   by the repetitive block prevention. IF YOU DISABLE REPETITIVE BLOCK #   SETTINGS, YOU WILL CREATE AN ENDLESS LOOP CAUSING RESOURCE EXHAUSTION OR #   STARVATION OR A DENIAL-OF-SERVICE CONDITION! #   Take note that any white-list or override lists are processed before the #   request is forwarded. The planned "passthrough" plugin will avoid this #   limitation in the future. It is recommended to create separate Snortsam #   instances for "distribution hubs" which don't have white-list or override #   restrictions. # #   Example:   forward secondsnortsam.domain.net #              forward other-snortsam.mynet.com/otherpass #              forward 127.0.0.1:890 # # ----------------------------------------------------------------------------- # $Id: snortsam.conf.sample,v 1.20 2009/11/27 01:39:39 fknobbe Exp $ P.S. Прошу прощения за такой длинный пост! Просто хотелось максимально полно изложить проблему. Если еще что-нибудь нужно- спрашивайте!
	Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема